I see that there is an interesting and active discussion on this now. Everyone may be sure that I will be posting further comments shortly which clarify my personal position on all the matters discussed so far. In the meantime however, I just realized that I neglected to clarify how I came to find that VERIFIED[.]IS web site in the first place. It may not be at all important, but just so everyone knows, I found that VERIFIED[.]IS indirectly. First, I stumbled onto the following web site, which is clearly selling credit cards *and* also (U.S.) social security numbers (SSNs) and dates-of-birth (DOBs). (You can even pick out which U.S. state you prefer!) These bits of information are often helpful to people intent on committing identity theft: http://www.wellsfargo.lequeshop[.]ru/ As you can see, there is an email address on the above page. It is <mixx@exploit.im>. I simply googled that email address and then started to visit the web sites found. One of them was verified[.]is But this criminal carder ... who seems to be Russian... is also active on many other web sites, presumably selling what he has to offer in many different forums. Regards, rfg
Hi again, Ron! First of all thank you for all your contributions to this list - I personally (as I stated before) use to null-route prefixes you report. I don't intend to recommend this sort of policy to everyone - this is just my company's routing policy. Some others (even large backbones) even use Spamhaus's DROP lists which I don't trust. I think what we all need is some RIPE-managed database to list such prefixes and NCC-appointed persons to approve them as 'rogue' if there was enough evidence provided. Such a database may be provided by means of DNSBL and BGP feed. Such a database can be *voluntarily* used by those ISPs who are commited to keeping Internet clean of UBE, DDoS, spoofing, and so on and so forth. This would be a good community-driven alternative to commercial DNSBLs, DROPs, etc. On 08/09/16 22:53, Ronald F. Guilmette wrote:
I see that there is an interesting and active discussion on this now. Everyone may be sure that I will be posting further comments shortly which clarify my personal position on all the matters discussed so far.
In the meantime however, I just realized that I neglected to clarify how I came to find that VERIFIED[.]IS web site in the first place.
It may not be at all important, but just so everyone knows, I found that VERIFIED[.]IS indirectly. First, I stumbled onto the following web site, which is clearly selling credit cards *and* also (U.S.) social security numbers (SSNs) and dates-of-birth (DOBs). (You can even pick out which U.S. state you prefer!) These bits of information are often helpful to people intent on committing identity theft:
http://www.wellsfargo.lequeshop[.]ru/
As you can see, there is an email address on the above page. It is <mixx@exploit.im>. I simply googled that email address and then started to visit the web sites found.
One of them was verified[.]is
But this criminal carder ... who seems to be Russian... is also active on many other web sites, presumably selling what he has to offer in many different forums.
Regards, rfg
-- Kind regards, CTO at *Foton Telecom CJSC* Tel.: +7 (499) 679-99-99 AS42861 on PeeringDB <http://as42861.peeringdb.com/>, Qrator <https://radar.qrator.net/as42861>, BGP.HE.NET <http://bgp.he.net/AS42861> http://ipv6actnow.org/ <%0Ahttp://ipv6actnow.org/>
Maintaining such a list actually takes a lot more abuse and threat intel clue than it would appear necessary at first sight. I trust spamhaus, especially related to their DROP list, which is extremely specific in its listing critieria. --srs From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Sergey <gforgx@fotontel.ru> Date: Wednesday, 10 August 2016 at 2:06 AM To: <anti-abuse-wg@ripe.net> Subject: Re: [anti-abuse-wg] VERIFIED[.]IS Hi again, Ron! First of all thank you for all your contributions to this list - I personally (as I stated before) use to null-route prefixes you report. I don't intend to recommend this sort of policy to everyone - this is just my company's routing policy. Some others (even large backbones) even use Spamhaus's DROP lists which I don't trust. I think what we all need is some RIPE-managed database to list such prefixes and NCC-appointed persons to approve them as 'rogue' if there was enough evidence provided. Such a database may be provided by means of DNSBL and BGP feed. Such a database can be voluntarily used by those ISPs who are commited to keeping Internet clean of UBE, DDoS, spoofing, and so on and so forth. This would be a good community-driven alternative to commercial DNSBLs, DROPs, etc. On 08/09/16 22:53, Ronald F. Guilmette wrote: I see that there is an interesting and active discussion on this now. Everyone may be sure that I will be posting further comments shortly which clarify my personal position on all the matters discussed so far. In the meantime however, I just realized that I neglected to clarify how I came to find that VERIFIED[.]IS web site in the first place. It may not be at all important, but just so everyone knows, I found that VERIFIED[.]IS indirectly. First, I stumbled onto the following web site, which is clearly selling credit cards *and* also (U.S.) social security numbers (SSNs) and dates-of-birth (DOBs). (You can even pick out which U.S. state you prefer!) These bits of information are often helpful to people intent on committing identity theft: http://www.wellsfargo.lequeshop[.]ru/ As you can see, there is an email address on the above page. It is <mixx@exploit.im>. I simply googled that email address and then started to visit the web sites found. One of them was verified[.]is But this criminal carder ... who seems to be Russian... is also active on many other web sites, presumably selling what he has to offer in many different forums. Regards, rfg -- Kind regards, CTO at Foton Telecom CJSC Tel.: +7 (499) 679-99-99 AS42861 on PeeringDB, Qrator, BGP.HE.NET http://ipv6actnow.org/
So, you stumbled across some potential criminal activity, then you notified law enforcement and/or Interpol? Or you think that it is a better solution for RIPE to investigate criminal activity and simply to 'nul-route' child pornographers, identity thieves and criminal syndicates? You are saying that you would rather discuss criminal syndicates on an anti abuse discussion list? So, we should investigate crimes now and then disable their routing or email or what? On Tue, 09 Aug 2016 12:53:34 -0700 "Ronald F. Guilmette" <rfg@tristatelogic.com> wrote:
I see that there is an interesting and active discussion on this now. Everyone may be sure that I will be posting further comments shortly which clarify my personal position on all the matters discussed so far.
In the meantime however, I just realized that I neglected to clarify how I came to find that VERIFIED[.]IS web site in the first place.
It may not be at all important, but just so everyone knows, I found that VERIFIED[.]IS indirectly. First, I stumbled onto the following web site, which is clearly selling credit cards *and* also (U.S.) social security numbers (SSNs) and dates-of-birth (DOBs). (You can even pick out which U.S. state you prefer!) These bits of information are often helpful to people intent on committing identity theft:
http://www.wellsfargo.lequeshop[.]ru/
As you can see, there is an email address on the above page. It is <mixx@exploit.im>. I simply googled that email address and then started to visit the web sites found.
One of them was verified[.]is
But this criminal carder ... who seems to be Russian... is also active on many other web sites, presumably selling what he has to offer in many different forums.
Regards, rfg
participants (4)
-
andre@ox.co.za -
Ronald F. Guilmette -
Sergey -
Suresh Ramasubramanian